Megaphone

The Information Regulator has updated the POPIA Regulations as of April 2025. They clarify compliance obligations and expand data subjects’ rights. If you process personal information, these updates are not optional, they’re a roadmap for staying compliant and building trust.

Here’s a breakdown of what’s changed and what it means in practice.

New definitions that matter

Six new definitions have been added: complainant, complaint, day, office hours, relevant body/bodies, and writing. They’re not just technical tweaks: these terms directly impact how you interpret and apply the regulations.

Objection to processing: Easier and broader access

Regulation 2 has been completely reworked to ensure it’s more accessible and better communicated. Here’s what’s now required:

  • Data subjects can object using Form 1 or something similar, at no cost to them.
  • Objections can be submitted via hand, email, SMS, WhatsApp, or even telephone (as long as calls are recorded).
  • Organisations must clearly inform data subjects of this right at the point of data collection.

Take action: Review and update your privacy notices and internal protocols for handling objections.

Correction or deletion of data: Now with deadlines

Requests for correction or deletion must be handled efficiently:

  • Requests must be free and submitted using a form like Form 2.
  • Acceptable channels include email, WhatsApp, phone, or SMS.
  • Organisations must respond in writing within 30 days.

Takeaway: Set up a process to manage these requests quickly, with clear roles and escalation paths.

Information officer duties: More than just a title

Information officers must go beyond just being a point of contact:

  • They are now explicitly responsible for ongoing compliance and continuous improvement.
  • Their duties are detailed in the updated regulations – make sure your information officer is up to speed.

Take action: Revisit your compliance framework and training plans.

Direct marketing: No more loopholes

Consent for direct marketing has tighter rules:

  • Consent must be explicit – silence doesn’t count.
  • A form like Form 4 must be used.
  • Consent may be gathered across multiple platforms but must always be recorded and retrievable.

Checklist time!

Are your –

  • consent records up to date?
  • opt-in mechanisms clear and accessible?
  • marketing vendors aware of the updates?

Complaints: Broader access, multilingual support

The complaints process has become more inclusive:

  • Complaints can now come from data subjects, their representatives, or those acting in the public interest.
  • Submissions may be made anonymously (with reasons).
  • The complaint must be in writing and can be submitted online, in person, by email, courier, post, or fax (really?!) using Form 5.
  • The Regulator must assist complainants, including those in languages other than English.

Your move: Make your complaints process more visible and easier to navigate.

Administrative fines: New payment flexibility

If your organisation gets fined and you can’t pay the full amount at once, you can ask to pay in instalments. The Regulator will look at your finances and decide whether to approve the request.

Advice: Staying compliant is always cheaper than dealing with a fine.

Need help?

Drop us an email: ilze@novcon.co.za or sarah@novcon.co.za

By Categories: ArticlesTags: , , , , , , ,
Please Share!

Categories

Recent Posts

Topics

access AI business continuity cats change management clarity complaints compliance compliance management consent consumer contracts COVID-19 Data breaches data privacy data protection Data protection act Direct marketing GDPR General Data Protection Regulation humour Information governance information officer information regulator legal design legal drafting marketing marketing consent personal data personal information plain language plain legal language policies POPI POPIA Privacy privacy protection Protection of Personal Information Act risk risk management risk mitigation science security Simon Sinek UX